1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio

2Agenda Logical Access: Definitions and ControlsLogical Access: Definitions and Controls WorkflowWorkflow Documentation ProcessDocumentation Process Password SecurityPassword Security MonitoringMonitoring Audit TrackingAudit Tracking Helpful LinksHelpful Links Q & AQ & A

3DEFINITONS Logical Access: Process by which individuals are permitted to use computer systems and the networks to which these systems are attached. Applications and networks, and the services they provide, are available only to those individuals who are entitled to use them. Entitlement is typically based on some sort of predetermined relationship between the network or system owner and the user

4DEFINITIONS Access Form – Used in the Logical Access process to document and approve authorized access to systems/applications (see “HelpFul Links” for examples) Product Managers – Responsible for the access management of the system or application (also referred to as Tech. Coordinators, Application Analyst or other title) Business Process Owner (BPO) – Person (s) who have been authorized by UMG and ITS to approve access to systems/applications for a department. Key Controls (LA #) - Denotes the key process controls within Logical Access identified and approved by the University. ITS – Saint Louis University, Information Technology Services SLU-Care Service Desk – UMG/ITS help desk which creates Remedy tickets for service requests Quality Assurance Administrator – Monitors and reviews for compliance all logical access management policies and processes Remedy Management System (Remedy) – Request tracking system used to record and document service requests

5 Segregation of Duties : Prevents a single person from performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner. Examples of inadequate segregation: One person has access rights to: One person has access rights to: Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries.Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries. Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries.Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries. Set up a new employee, input pay rates/salary, and issue pay checks.Set up a new employee, input pay rates/salary, and issue pay checks.DEFINITIONS

6CONTROLS LA1 A formalized documented system for user access is established LA2 Full user Account information is documented and retained LA3 Authorized approval and documentation LA4 User access is verified by Process Owners LA5 Segregation of duties analysis LA6 Segregation of duties analysis for administrative users LA7 User password requirements are established and enabled LA8 Application password requirements are established and enabled LA9 Automatic lock-out controls are established and enabled LA10 Documentation and control for Terminations LA11 Monitoring Access Reviews LA12 Auto-Logging established, tracked and reviewed

7 1.BPO approves the completed access forms 2.User completes required training 3.Product Manager reviews forms for completeness and approval, and documents into a Remedy ticket 4.Access is granted and confirmedWORKFLOW Four Step Process

8 ACCESS FORM - Basics User Information Type of Request Access Type- w/ specific details Statement of Approval –Accuracy of request –Knowledge of University policies and procedures –Required Training has been addressed –Segregation of duties has been considered Authorized Approver Signature LA CONTROLS 1-6 AND 10 DOCUMENTATION See “Helpful Links” for your specific application

9DOCUMENTATION For New or Change of Access: Attach Request Form (required) Verify and/or attach Confidentiality Agreement Verify User Current Access Notify Hiring Manager/Process Owner For Termination of Access: Attach Request Form or Termination Report (required) Lock/Disable User Account Notify Hiring Manager Product Managers record the following information into Remedy

10DOCUMENTATION 1.Change/Delete Access 1.Change/Delete Access Similar process as a new user request Requires an Access Form Segregation of Duties Analysis for Change Request All Changes recorded in Remedy 2.Termination Requests: submitted prior to users last day 3.Notification to Human Resources prior to users last day Key Points to Remember: LA CONTROLS 10

11 Password must be a minimum of 8 characters Password must not be the same as your “User Name” Password must be constructed using one of each of the following character types: –Uppercase alpha (A, B, C, D, E, …) –Lowercase alpha (a, b, c, d, e, …) –Numbers (1, 2, 3, 4, 5, 6, 7, 8, 9, 0) Passwords must not contain Special characters (!, #, $, %, &, *) Passwords must not be easily guessed: must not be names, dictionary words, phone numbers, birthdays or contain their “User Name” Passwords must be different from the previous 12. New Users will be forced to change their passwords after their initial log in After 3 unsuccessful log-in attempts: user account will be suspended All passwords will expire after a minimal 180 days. LA CONTROLS 7-9 PASSWORD SECURITY

12 Accessing or Changing your “MYSLU” ID Password Log into password.slu.edu with your SLUNET ID and temporary or existing password Go to “Change Password” Change your password to meet new security standards Confirm by logging into your MYSLU page PASSWORD SECURITY LA CONTROLS 7-9 Refer to the specific application for more information

13 MONITORING Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. There are three types of reports: 1.Service Access Report A comprehensive listing of user access rights Review Timing: Bi-Annually 2.Termination Report Lists users who have separated from the university, but who may still have access rights. Review Timing: Weekly 3.Position Change Report Lists users who have changed positions, which may require updates to access rights. Review Timing: Weekly LA CONTROL #11

14 MONITORING The Monitoring Process Product Mangers, with assistance from department management, ensure reviews are completed for respective areas. User access changes resulting from these reviews should be requested on an Access Form Reviews of the Service Access Report, Termination Reports and Position Change Reports must be documented and retained.

15 Utilization of operating systems built-in auditing capabilities to monitor various events: 1.Logon and Logoff 2.Use of user rights 3.User & Group Management 4.Security Policy Changes 5.Restart, Shutdown, & System Failure 6.Changes, additions, deletions to tables, program codes, security tables AUDIT TRACKING LA Control #12

16 HELPFUL LINKS Banner Products Logical Access Information: IDX Products Logical Access Information: EHR Products Logical Access Information: eRS Products Logical Access Information: Logical Access Change Management Initiative: Refer to Product Manager for all other products

17 THANK YOU Q & A